A way to drop incoming external connections to external IP, allowing the same, when from local processes to same address, but not with Netfilter?

[albus]

Hi! Tell me please, is there any capability in Linux to do a drop an initiation of external incoming network connections, but allowing same kind of traffic to external IP, when the connection was originated locally? Except Netfilter capabilities. Any kernel option in "/etc/sysctl.*" or anything else?

For example. An interface eth1 have external IP 1.2.3.4. Is there a way, other than Netfilter, to drop connections initiated by smth. like "curl 1.2.3.4" from neighbour computer, but accept when "curl 1.2.3.4" is done locally at the host?

I know how to do it with Netfilter/iptables/nftables rules. The question is about existence of other ways. May be kernel options and so on.

Thank you!

 

[dos2unix]

Netfilter/iptables/nftables are the most common tools for managing network traffic in Linux, there are a few other methods you might consider:

1. TCP Wrappers: This is a host-based networking ACL system that can filter network access to Internet services based on IP addresses. However, it primarily works with services that are compiled with libwrap support and might not be as flexible as Netfilter.
2. sysctl Configuration: While /etc/sysctl.conf and related files are used for kernel parameter tuning, they don't provide direct capabilities for filtering network traffic based on connection initiation. They are more suited for adjusting network stack parameters like TCP window sizes, IP forwarding, etc.
3. Advanced Routing (ip rule): You can use ip rule and ip route commands to create advanced routing rules. For example, you can create rules that route traffic differently based on the source IP address. This method is more complex and might not directly achieve the exact filtering you described but can be part of a broader solution.
4. eBPF (Extended Berkeley Packet Filter): eBPF allows you to run sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules. It can be used for advanced packet filtering and monitoring. Tools like bpfilter or xdp (eXpress Data Path) can leverage eBPF for high-performance packet filtering.

Unfortunately, there isn't a straightforward kernel parameter in /etc/sysctl.* that can achieve the specific filtering you described without using Netfilter or similar tools. If you need precise control over network traffic, Netfilter/iptables/nftables remain the most robust and flexible options.

 

[dos2unix]

I know you specifically asked not to use iptables/netfilter,
But you could also do this with a firewall, I use fedora/redhat distro's which use firewalld, but
I'm sure you could do the same thing with ufw. The use iptables/netfilter under the covers, but
are often easier to configure.

Here's how you can block an IP address using firewall-cmd:

1. Open a terminal on your Linux system.
2. Run the following command to block the IP address (replace A.B.C.D with the actual IP address you want to block):
   

    sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='A.B.C.D' reject"

3. Reload the firewall to apply the changes:
   

    sudo firewall-cmd --reload

For example, to block the IP address 192.168.1.100, you would use:

 sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject" sudo firewall-cmd --reload

If you want to block a specific ethernet interface...

1.  sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='A.B.C.D' reject" --zone=INTERFACE

2. Reload the firewall to apply the changes:
   

    sudo firewall-cmd --reload

For example, to block the IP address 192.168.1.100 on the interface eth1, you would use:

 sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject" --zone=eth1 sudo firewall-cmd --reload